Skip to main content
Sumo Logic

Cloud SIEM Enterprise Release Notes

RSS Feed

Content Release 2022-09-19

Rules
  • [Deleted] CHAIN-S00009 Proofpoint TAP Click Permitted Followed by Successful Request
Log Mappers
  • [New] Wiz Catch All
  • [Updated] Orca Security Parser - Catch All
Schema
  • [New] cloud_provider
  • [New] cloud_region
  • [New] cloud_service
  • [New] cloud_zone
  • [New] device_container_id
  • [New] device_container_name
  • [New] device_container_runtime
  • [New] device_image
  • [New] device_type
  • [New] dstDevice_container_id
  • [New] dstDevice_container_name
  • [New] dstDevice_container_runtime
  • [New] dstDevice_image
  • [New] dstDevice_type
  • [New] resourceType
  • [New] srcDevice_container_id
  • [New] srcDevice_container_name
  • [New] srcDevice_container_runtime
  • [New] srcDevice_image
  • [New] srcDevice_type
  • [Updated] dstDevice_uniqueId

Application Update 2022-09-12

Insight Enrichment Server for Fed deployment
  • [Update] We’ve released a new version of the Insight Enrichment Server that runs on the Sumo Logic FedRAMP-compliant deployment. This makes Cloud SIEM Enterprise (CSE) on FedRAMP functionally equivalent to commercial deployments of CSE.

Application Update 2022-09-09

Minor Changes and Enhancements
  • [New] An API endpoint has been added which enables user to delete multiple entries in a match list in one operation: POST: /match-list-items/bulk-delete
  • [Updated] When inventory data for hosts includes both private and public IP addresses, that data will be attached to both Entities. Previously it was only attached to one of the IP address Entities.
  • [Updated] Previously we announced that the severity attribute for Insights in the Audit Logs would be switching from numbers (1-4) to text (LOW, MEDIUM, HIGH, etc). Instead, we have retained the existing numerical attribute and added a new attribute severityName containing the human-readable text. 
Resolved Issues
  • In some Audit Log messages related to Insight comments, the insight_readable_id was not set correctly.
  • In some cases, manually adding or removing tags in an Insight was not being recorded in the Audit Logs properly.
  • For some customers, the bar chart on the Records list page was not rendering properly.
  • Time/date stamps were not being displayed consistently across the UI.
  • Some pages were returning intermittent 404 or internal errors.  

Content Release 2022-09-08

In 1 week (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules
  • [Updated] MATCH-S00819 Chromium Process Started With Debugging Port
Log Mappers
  • [Updated] Aruba ClearPass Syslog
Parsers
  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

Application Update 2022-09-01

Announcements
  • Starting October 1, 2022, suppressed Signals will be retained in CSE for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the CSE UI.
    • Note also that in the past, Signals attached to Insights were searchable from the CSE Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.) 
  • As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from CSE by the end of this month.
Minor Changes and Enhancements
  • [New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the risk_score field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included). 
  • [Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead. 
  • [New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
  • [New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.
Resolved Issues
  • In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
  • Time stamps were missing from Records in some views.

Content Release 2022-09-01

In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules
  • [New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
  • [New] MATCH-S00819 Chromium Process Started With Debugging Port
  • [New] MATCH-S00820 Cloud Credential File Accessed
  • [New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
  • [Updated] MATCH-S00235 Azure - Create User
Log Mappers
  • [New] Mimecast AV Event
  • [New] Mimecast Impersonation Event
  • [New] Mimecast Spam Event
  • [Updated] AzureActivityLog AuditLogs

Application Update 2022-08-25

Cloud SIEM Enterprise App is now available

The CSE app gives you visibility into what’s going on in Cloud SIEM Enterprise. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by CSE. You can also get insight in CSE rules, including rule management activity, and which rules have fired.

This app is available to all licensed CSE customers in the Sumo Logic App Catalog. For more information, see CSE App.

Content Release 2022-08-25

Rules
  • [Updated] MATCH-S00632 Okta Administrator Access Granted
  • [Updated] MATCH-S00683 Overly Permissive Chmod Command
Log Mappers
  • [New] Check Point Avanan
  • [New] Cisco ISE Authentication Failure
  • [New] Cisco ISE Authentication Success
  • [New] Cisco ISE Catch All
  • [New] FireEye Web MPS Event
  • [Updated] Microsoft Office 365 Threat Intelligence Events
  • [Updated] Windows Microsoft-Windows-Sysmon/Operational 3
  • [Updated] Windows Security 4688
Parsers
  • [New] /Parsers/System/Check Point/Check Point Avanan JSON
  • [New] /Parsers/System/Cisco/Cisco ISE
  • [New] /Parsers/System/FireEye/FireEye Web MPS JSON

Application Update 2022-08-18

Resolved Issues
  • Several issues were resolved related to the bulk upload of Entity attributes, including errors with CSV file parsing, editing uploaded attributes in the UI, and a lack of audit logging.
  • On the Entity details page, the criticality was not being displayed properly.
  • Labels were not being created properly based on Network Blocks for a small number of customers.
  • InsightCommentCreated audit events did not include the readableId attribute.
  • For some record types, the Actions field was not being displayed if selected as a favorite field.  

Application Update 2022-07-28

Read-Only User Capabilities for CSE

New user capabilities (permissions) have been created enabling read-only access to content and configuration features in CSE.

These can be used when defining roles in the Sumo Logic platform (at Administration > Users and Roles > Roles):

Read-Only-Roles.png

(For those with CSE instances in the jask.ai domain, these capabilities are accessed via the Configuration > Roles page in CSE.)

Users with these capabilities (without the corresponding Manage capabilities) will be able to view the corresponding pages but will not be able to make changes on those pages. (Previously, users without the Manage capabilities could not see the corresponding pages.)

These permissions also apply to CSE APIs, so View (only) capabilities can now be assigned if desired.

Minor Changes and Enhancements
  • [Updated] When Threat Intelligence polling fails, the corresponding event will now include more information about the specific error that occurred.
  • [Updated] The API endpoints that return information about Signals (GET /signals, GET /signals/<id>, and  GET /signals/all) now include the summary field (previously only accessible via the UI).
  • [New] The Sumo Logic audit logs will now include events when a user adds or removes a Signal to/from an Insight, and when a user adds a comment to an Insight.
Resolved Issues
  • The GET /rules and GET /rules/<id> API endpoints did not require role capabilities for access; they now require either View Rules or Manage Rules.
  • Favorite Fields were not always being displayed on Signals generated by Threshold Rules.

Application Update 2022-07-21

Entity Groups

There are a number of ways that the use of Entity attributes - tags, criticality and suppression - provide value to users of Cloud SIEM Enterprise: Investigations can be completed faster with more context, Insights can be better prioritized with the appropriate severity, and false positive signals from test instances can be prevented, for example. However, setting those attributes has been a manual process and keeping them in sync as new Entities are defined is difficult.

That's why we are pleased to announce a new feature called Entity Groups. By defining Entity Groups, attributes can be automatically applied (or removed) based on Entity value (name), IP address, or Inventory group membership. For example, all high-risk laptops will receive higher criticality -- even if such a laptop is added to your environment months later. 

Entities can even be members of more than one Entity Group, so a high-risk laptop in the Austin office could both get a tag identifying its location and receive the higher criticality. And if you later reassigned it so that it was no longer in a high-risk group, the criticality would be automatically removed.

To create an Entity Group, a new configuration menu item has been added:

Entity-Groups-Menu.png

On the Entity Groups page, click the Create button:

Entity-Groups-List.png

This will open the detail dialog:

Entity-Groups-Create.png

Here you can decide what attribute Group membership should be based on:

  • Group membership in your Inventory system (such as Active Directory)
  • Entity value (name) - prefix or suffix (such as "aus-" or "-public")
  • IP address range (for IP Address entities) defined using the CIDR format

Entity Groups also support sensor zones.

Then you can define what attribute(s) should be applied to member Entities - tags, criticality and/or suppression.

This release also includes API and Terraform support for Entity Groups.

More information about this exciting new feature and how to use it is in the documentation at Using Entity Groups.

Signal Index

Starting today, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new sec_signal index. This special partition is similar to the existing sec_record_* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes. 

The new index is automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature will be deprecated on September 22, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE. 

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before September 22.

Note that because the new index is a special partition, a single query cannot be used to search both the sec_signal index and older forwarded Signal data simultaneously.

More information about using the special security indices is in the documentation at Searching for CSE Data in CIP.

Minor Changes and Enhancements
  • [Updated] The page used to configure the detection window and Insight threshold has moved. Where previously it was accessed from a button on the Custom Insights list page, it is now accessed via a new Workflow > Detection option in the Configuration menu:
    Threshold-Menu.png
    Note the URL has also changed as a result; please update any bookmarks.
Resolved Issues
  • When navigating to a CSE page (with sumologic.com in the domain name), if the user had to login/authenticate first, they were not auto-forwarded to the appropriate CSE page after doing so (but instead was taken to the Continuous Intelligence Platform home page). This has now been resolved and users will be auto-forwarded correctly.

Application Update 2022-07-14

Minor Changes and Enhancements
  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability. 
Resolved Issues
  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.
Announcement Update
  • The new Signal Index (previously announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

Content Release 2022-07-14

Log Mappers
  • [New] Carbon Black Cloud Alert - Tuned Activity
  • [Updated] Cisco ASA 106001 JSON
  • [Updated] Cisco ASA 106002 JSON
  • [Updated] Cisco ASA 106006 JSON
  • [Updated] Cisco ASA 106007 JSON
  • [Updated] Cisco ASA 106010 JSON
  • [Updated] Cisco ASA 106012 JSON
  • [Updated] Cisco ASA 106014 JSON
  • [Updated] Cisco ASA 106015 JSON
  • [Updated] Cisco ASA 106021 JSON
  • [Updated] Cisco ASA 106027 JSON
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Cisco ASA 106102-3 JSON
  • [Updated] Cisco ASA 109005-8 JSON
  • [Updated] Cisco ASA 110002 JSON
  • [Updated] Cisco ASA 113004 JSON
  • [Updated] Cisco ASA 113005 JSON
  • [Updated] Cisco ASA 113012-17 JSON
  • [Updated] Cisco ASA 209004 JSON
  • [Updated] Cisco ASA 302020-1 JSON
  • [Updated] Cisco ASA 303002 JSON
  • [Updated] Cisco ASA 304001 JSON
  • [Updated] Cisco ASA 304002 JSON
  • [Updated] Cisco ASA 305011-12 JSON
  • [Updated] Cisco ASA 313001 JSON
  • [Updated] Cisco ASA 313004 JSON
  • [Updated] Cisco ASA 313005 JSON
  • [Updated] Cisco ASA 314003 JSON
  • [Updated] Cisco ASA 322001 JSON
  • [Updated] Cisco ASA 338001-8+338201-4 JSON
  • [Updated] Cisco ASA 4000nn JSON
  • [Updated] Cisco ASA 406001 JSON
  • [Updated] Cisco ASA 406002 JSON
  • [Updated] Cisco ASA 419001 JSON
  • [Updated] Cisco ASA 419002 JSON
  • [Updated] Cisco ASA 500004 JSON
  • [Updated] Cisco ASA 602303-4 JSON
  • [Updated] Cisco ASA 605004-5 JSON
  • [Updated] Cisco ASA 710002-3 JSON
  • [Updated] Cisco ASA 710005 JSON
  • [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
Parsers
  • [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • [Updated] /Parsers/System/Cisco/Cisco ASA

Application Update 2022-07-08

Announcement
  • The built-in HipChat Action will be deprecated on August 25, 2022.
Minor Changes and Enhancements
  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results. 
Resolved Issues
  • In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.
  • Mapper field format_parameters was not populating.
  • Some of the links on the Related Entities tab of the Insight detail pages were malformed.

Content Release 2022-07-07

Rules
  • [New] MATCH-S00816 Interactive Logon to Domain Controller
Log Mappers
  • [Updated] Palo Alto GlobalProtect - Custom Parser
  • [Updated] Palo Alto GlobalProtect Auth - Custom Parser
  • [Updated] Windows - System - 7045
  • [Updated] Zscaler - Nanolog Streaming Service - JSON
Parsers
  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Google/GCP
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

Content Release 2022-07-05

Rules
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery
Log Mappers
  • [Updated] McAfee Endpoint Security Custom Parser
  • [Updated] Microsoft SQL Server Parser - Authentication
Parsers
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML
  • [Updated] /Parsers/System/Microsoft/Microsoft SQL Server
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Twistlock/Twistlock

Announcement 2022-06-24

Signal Index

Beginning July 15, 2022, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing sec_record_* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes. 

The new index will be automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature in CSE will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE. 

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.

If you have any questions or concerns, please contact Sumo Logic customer support.

Application Update 2022-06-24

Minor Changes and Enhancements
  • [New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.
Resolved Issues
  • The /sec/v1/insights/{}/tags API endpoint was returning a 500/INTERNAL_SERVER_ERROR. 

Content Release 2022-06-21

Log Mappers
  • [Updated] McAfee Avecto Defendpoint
Parsers
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML

Content Release 2022-06-15

Rules
  • [Updated] MATCH-S00400 Web Download via Office Binaries
Log Mappers
  • [New] GCP Parser - Load Balancer
Parsers
  • [Updated] /Parsers/System/Google/GCP
  • [Updated] /Parsers/System/Orca Security/Orca Security
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
 

Application Update 2022-06-13

Minor Changes and Enhancements
  • [Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
  • [Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
  • [Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.
Resolved Issues
  • CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
  • Then filtering lists by date, the "include current" checkbox was not working consistently.

Content Release 2022-06-09

Rules
  • [New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context
Log Mappers
  • [Updated] Cyber Ark Vault JSON
Parsers
  • [New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
  • [Updated] /Parsers/System/AWS/AWS ELB
  • [Updated] /Parsers/System/AWS/AWS WAF

Content Release 2022-06-07

Rules
  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
Log Mappers
  • [New] Bitdefender - avc
  • [New] Bitdefender - fw
  • [New] Bitdefender - hd
  • [New] Bitdefender - network-monitor
  • [New] Bitdefender - new-incident
  • [New] Linux OS Syslog - Cron - Generic
  • [New] Linux OS Syslog - sshd - session timeout
  • [Updated] Bitdefender Catch All
  • [Updated] SonicWall Firewall - Custom Parser
Parsers
  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Linux/Linux OS Syslog

Content Release 2022-06-03

Rules
  • [New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
  • [New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
  • [Updated] THRESHOLD-S00080 Internal Port Scan
  • [Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
Log Mappers
  • [New] Google G Suite - logout
  • [New] McAfee Mvision ENS incidents - Parser
  • [New] McAfee Mvision ENS threats - Parser
  • [New] Okta Authentication - auth_via_AD_agent
  • [New] Okta Authentication - auth_via_mfa
  • [New] Okta Authentication - auth_via_radius
  • [New] Okta Authentication - sso
  • [Updated] Google G Suite - login.login
  • [Updated] Okta Authentication Events
  • [Updated] Salesforce LoginAs Mapping
Parsers
  • [New] /Parsers/System/McAfee/McAfee Mvision ENS
Schema
  • [Updated] device_ip_asnNumber

  • [Updated] device_ip_asnOrg
  • [Updated] device_ip_city
  • [Updated] device_ip_countryCode
  • [Updated] device_ip_countryName
  • [Updated] device_ip_isp
  • [Updated] device_ip_latitude
  • [Updated] device_ip_longitude
  • [Updated] device_ip_region
  • [Updated] device_natIp_asnNumber
  • [Updated] device_natIp_asnOrg
  • [Updated] device_natIp_city
  • [Updated] device_natIp_countryCode
  • [Updated] device_natIp_countryName
  • [Updated] device_natIp_isp
  • [Updated] device_natIp_latitude
  • [Updated] device_natIp_longitude
  • [Updated] device_natIp_region
  • [Updated] dns_replyIp_asnNumber
  • [Updated] dns_replyIp_asnOrg
  • [Updated] dns_replyIp_city
  • [Updated] dns_replyIp_countryCode
  • [Updated] dns_replyIp_countryName
  • [Updated] dns_replyIp_isp
  • [Updated] dns_replyIp_latitude
  • [Updated] dns_replyIp_longitude
  • [Updated] dns_replyIp_region
  • [Updated] dstDevice_ip_asnNumber
  • [Updated] dstDevice_ip_asnOrg
  • [Updated] dstDevice_ip_city
  • [Updated] dstDevice_ip_countryCode
  • [Updated] dstDevice_ip_countryName
  • [Updated] dstDevice_ip_isp
  • [Updated] dstDevice_ip_latitude
  • [Updated] dstDevice_ip_longitude
  • [Updated] dstDevice_ip_region
  • [Updated] srcDevice_ip_asnNumber
  • [Updated] srcDevice_ip_asnOrg
  • [Updated] srcDevice_ip_city
  • [Updated] srcDevice_ip_countryCode
  • [Updated] srcDevice_ip_countryName
  • [Updated] srcDevice_ip_isp
  • [Updated] srcDevice_ip_latitude
  • [Updated] srcDevice_ip_longitude
  • [Updated] srcDevice_ip_region

Announcement 2022-06-01

Geographical Data for IP Addresses
  • As previously announced, CSE has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various _isp enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent _asnOrg fields (such as device_ip_asnOrg). If you have any rules that leverage the _isp fields, please switch to the _asnOrg fields as soon as possible.
  • Because these fields will no longer be populated, they will be removed on June 7, 2022:
    • device_ip_isp
    • device_natIp_isp
    • device_replyIp_isp
    • dstDevice_ip_isp
    • dstDevice_natIp_isp
    • srcDevice_ip_isp
    • srcDevice_natIp_isp

Content Release 2022-05-31

Rules
  • [New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] MATCH-S00766 Okta MFA Deactivated for User
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
Log Mappers
  • [New] Aruba ClearPass User Authentication Failed
  • [New] Aruba ClearPass User Authentication Successful
  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] McAfee Network Security Parser - Catch All
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Orca Security Parser - Catch All
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Cloudflare - Logpush
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events
  • [Updated] Windows - Security - 4688
Parsers
  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/McAfee/McAfee Network Security
  • [New] /Parsers/System/Orca Security/Orca Security
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Shared/Syslog Headers
  • [Updated] /Parsers/System/Twistlock/Twistlock

Application Update 2022-05-27

Upcoming Changes
  • [Updated] Starting later next week, the severity attribute in audit log records for Insights (such as InsightCreated) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data.
  • [Deleted] Later next week, the Content > Suppressed Entities page will be removed from the UI to simplify the application. Instead, users can use a filter on the Content > Entities page to retrieve the list of suppressed Entities.
Minor Changes and Enhancements
  • [Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
  • [New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
  • [New] In the CSE UI, timestamps now explicitly include the time zone.
  • [New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
  • [New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.
Resolved Issues
  • If a user had defined a high number of favorite fields, the system would show the first 50.
  • When specifying tags, the auto-complete feature was not working properly in some instances.

Content Release 2022-05-26

Rules
  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
Log Mappers
  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
Parsers
  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Application Update 2022-05-17

Minor Changes and Enhancements
  • [Updated] The _sourceName and _sourceHost values in records ingested by CSE will now reflect the original values defined when ingested into the Sumo Logic platform.
  • [Updated] The "Board" list view for Insights has been updated to include the resolution:

     Resolved-Board-view.png
Resolved Issues
  • In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
  • When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow. 
  • When creating match list items via Terraform, the process was occasionally timing out.
  • Email-based actions were not functioning properly on instances with domains ending in jask.ai.

Content Release 2022-05-12

Rules
  • [Updated] LEGACY-S00078 SQL Injection Victim
Log Mappers
  • [New] Check Point Application Control
  • [New] Check Point SmartDefense
  • [New] Check Point URL Filtering
  • [Updated] Check Point Block
Parsers
  • [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
  • [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
  • [Updated] /Parsers/System/Microsoft/Office 365

Content Release 2022-05-10

Rules
  • [Deleted] MATCH-S00258 Authentication Brute Force Attempt
  • [Updated] MATCH-S00176 RDP Login from Localhost
Log Mappers
  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • [Deleted] Windows - Security - 1100 - CIP
  • [Deleted] Windows - Security - 1102 - CIP
  • [Deleted] Windows - Security - 4624 - CIP
  • [Deleted] Windows - Security - 4625 - CIP
  • [Deleted] Windows - Security - 4634 - CIP
  • [Deleted] Windows - Security - 4648 - CIP
  • [Deleted] Windows - Security - 4649 - CIP
  • [Deleted] Windows - Security - 4656 - CIP
  • [Deleted] Windows - Security - 4658 - CIP
  • [Deleted] Windows - Security - 4661 - CIP
  • [Deleted] Windows - Security - 4662 - CIP
  • [Deleted] Windows - Security - 4663 - CIP
  • [Deleted] Windows - Security - 4672 - CIP
  • [Deleted] Windows - Security - 4674 - CIP
  • [Deleted] Windows - Security - 4688 - CIP
  • [Deleted] Windows - Security - 4689 - CIP
  • [Deleted] Windows - Security - 4697 - CIP
  • [Deleted] Windows - Security - 4698 - CIP
  • [Deleted] Windows - Security - 4702 - CIP
  • [Deleted] Windows - Security - 4704 - CIP
  • [Deleted] Windows - Security - 4720 - CIP
  • [Deleted] Windows - Security - 4726 - CIP
  • [Deleted] Windows - Security - 4728 - CIP
  • [Deleted] Windows - Security - 4732 - CIP
  • [Deleted] Windows - Security - 4740 - CIP
  • [Deleted] Windows - Security - 4742 - CIP
  • [Deleted] Windows - Security - 4754 - CIP
  • [Deleted] Windows - Security - 4755 - CIP
  • [Deleted] Windows - Security - 4756 - CIP
  • [Deleted] Windows - Security - 4768 - CIP
  • [Deleted] Windows - Security - 4769 - CIP
  • [Deleted] Windows - Security - 4770 - CIP
  • [Deleted] Windows - Security - 4771 - CIP
  • [Deleted] Windows - Security - 4776 - CIP
  • [Deleted] Windows - Security - 4778 - CIP
  • [Deleted] Windows - Security - 4779 - CIP
  • [Deleted] Windows - Security - 4780 - CIP
  • [Deleted] Windows - Security - 4793 - CIP
  • [Deleted] Windows - Security - 4798 - CIP
  • [Deleted] Windows - Security - 4799 - CIP
  • [Deleted] Windows - Security - 5038 - CIP
  • [Deleted] Windows - Security - 5058 - CIP
  • [Deleted] Windows - Security - 5059 - CIP
  • [Deleted] Windows - Security - 5061 - CIP
  • [Deleted] Windows - Security - 5140 - CIP
  • [Deleted] Windows - Security - 5379 - CIP
  • [Deleted] Windows - Security - 5805 - CIP
  • [Deleted] Windows - Security - 6272 - CIP
  • [Deleted] Windows - Security - 6273 - CIP
  • [Deleted] Windows - Security - 6275 - CIP
  • [Deleted] Windows - Security - 6278 - CIP
  • [Deleted] Windows - Security - 6416 - CIP
  • [Deleted] Windows - Security - 6423 - CIP
  • [Deleted] Windows - Security - 6424 - CIP
  • [Deleted] Windows - System - 5138 - CIP
  • [Deleted] Windows - System - 6005 - CIP
  • [Deleted] Windows - System - 6006 - CIP
  • [Deleted] Windows - System - 7045 - CIP
  • [New] BlueCat DNS Parser - Catch All
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] Firepower Catch All
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Success
Parsers
  • [Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
  • [New] /Parsers/System/Cisco/Cisco Firepower JSON
  • [Updated] /Parsers/System/AWS/AWS WAF
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

Application Update 2022-04-29

Related Entities

[New] The Cloud SIEM Enterprise team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, CSE can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window). 

To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:

Related Entities.png

The Entities tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where CSE has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’). 

Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals. 

As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages). 

This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information. 

More information can be found in the online documentation.

Minor Changes and Enhancements

[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.

queried-records.png

Content Release 2022-04-29

Rules
  • [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
  • [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
  • [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
  • [Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
  • [Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
  • [Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
  • [Updated] THRESHOLD-S00031 RDP Brute Force Attempt
  • [Updated] THRESHOLD-S00034 SSH Authentication Failures
Log Mappers
  • [New] BlueCat DHCP Parser - Catch All
  • [New] Microsoft Exchange Catch All
  • [New] Microsoft Exchange HTTP Error
  • [New] Microsoft Exchange IIS
  • [New] Varonis DatAlert - Parser
  • [Updated] Varonis DatAdvantage - CEF
Parsers
  • [New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/Microsoft/Exchange
  • [New] /Parsers/System/Varonis/Varonis DatAlert Syslog
  • [Updated] /Parsers/System/F5/F5 Syslog

Content Release 2022-04-26

Rules
  • [New] MATCH-S00808 Azure - Container Instance Creation/Modification
  • [New] MATCH-S00809 Azure - Container Start
  • [New] MATCH-S00807 Azure - Image Created/Modified
  • [New] MATCH-S00810 Azure - Image Deleted
Log Mappers
  • [New] Darktrace Parser Events
  • [Updated] Zscaler - Nanolog Streaming Service - JSON
Parsers
  • [New] /Parsers/System/Darktrace/Darktrace Syslog
  • [New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

Content Release 2022-04-20

Rules
  • [New] MATCH-S00798 Azure - Anonymous Blob Access
  • [New] MATCH-S00805 Azure - Bastion Host Created/Modified
  • [New] MATCH-S00806 Azure - Bastion Host Deleted
  • [New] MATCH-S00795 Azure - Diagnostic Setting Deleted
  • [New] MATCH-S00796 Azure - Diagnostic Setting Modified
  • [New] MATCH-S00797 Azure - Event Hub Deleted
  • [New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
  • [New] MATCH-S00788 Azure - Key Deletion
  • [New] MATCH-S00789 Azure - Key Purged
  • [New] MATCH-S00792 Azure - Key Vault Deleted
  • [New] MATCH-S00787 Azure - Protected Item Deletion Attempt
  • [New] MATCH-S00794 Azure - Secret Backup
  • [New] MATCH-S00791 Azure - Secret Deleted
  • [New] MATCH-S00790 Azure - Secret Purged
  • [New] MATCH-S00800 Azure - Storage Deletion
  • [New] MATCH-S00799 Azure - Storage Modification
  • [New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
  • [New] MATCH-S00804 Azure - Virtual Machine Deleted
  • [New] MATCH-S00801 Azure - Virtual Machine Started
  • [New] MATCH-S00802 Azure - Virtual Machine Stopped
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
  • [Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] MATCH-S00445 Known Ransomware File Extensions
Log Mappers
  • [New] Dropbox - Authentication
  • [New] Dropbox - Catch All
  • [Updated] Azure AuditEvent logs
Parsers
  • [Updated] /Parsers/System/AWS/GuardDuty

Announcement 2022-04-19

We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.

Application Update 2022-04-18

Minor Changes and Enhancements
  • [New] API endpoints are now available to add or remove a given Signal to/from a given Insight, PUT “/insights/<insightId>/signals” and DELETE “/insights/<insightId>/signals” respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.)
  • [Update] The way CSE displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e. cn=groupname,dc=something,dc=domain,dc=com); now it will just show the group name.
Resolved Issues
  • Signal and Insight timestamps in the Cloud SIEM Enterprise UI were not always displayed in the user’s preferred time zone.

Announcements 2022-04-15

  • Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM Enterprise and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating CSE with a TAXII Feed.
  • The Entity API has been updated to include a new field IsSuppressed. This field replaces IsWhitelisted which has been deprecated as of April 15, 2022. If you were previously using IsWhitelisted please ensure you have switched to the new field.

Content Release 2022-04-14

Rules
  • [New] MATCH-S00785 Azure - Blob Container Deletion
  • [New] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
  • [Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
  • [Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
  • [Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
  • [Updated] LEGACY-S00066 PowerShell Remote Administration
  • [Updated] LEGACY-S00105 Suspicious DC Logon
  • [Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)
Log Mappers
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
  • [Updated] Microsoft Graph AD Reporting API C2C - Provisioning
  • [Updated] Microsoft Graph AD Reporting API C2C - Signin
  • [Updated] Trend Micro CEF logs
Parsers
  • [New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF

Content Release 2022-04-12

Rules
  • [New] MATCH-S00784 Linux Host Entered Promiscuous Mode
Log Mappers
  • [Deleted] AWS VPC Flow Logs - Custom Format 1
  • [Deleted] Adaxes Execute Event
  • [Deleted] Adaxes Modify Event
  • [Deleted] Adaxes Run PowerShell Event
  • [Deleted] Aruba Error Logs
  • [Deleted] Aruba ICMP Logs
  • [Deleted] Aruba LDAP Server Logs
  • [Deleted] Aruba PoniUnwired HTTPD CGID Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Error Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
  • [Deleted] Aruba PoniUnwired HTTPD ssl error Samples
  • [Deleted] Aruba PoniUnwired Warn Samples
  • [Deleted] BIND DNS Query
  • [Deleted] BIND DNS Update Zone
  • [Deleted] BIND DNS Update Zone Failed
  • [Deleted] BIOC Credential Access logs
  • [Deleted] BIOC Dropper logs
  • [Deleted] BIOC Evasion Variation 2 logs
  • [Deleted] BIOC Evasion logs
  • [Deleted] BIOC Infiltration logs
  • [Deleted] BIOC Persistence and Execution logs
  • [Deleted] BIOC Privilege logs
  • [Deleted] BIOC Reconnaissance logs
  • [Deleted] BIOC Reconnaissance logs Variation 2
  • [Deleted] BIOC Tampering logs
  • [Deleted] BIOC create and write logs
  • [Deleted] Bandura Domain Logs
  • [Deleted] Bandura Packet Logs
  • [Deleted] Barracuda Proxy
  • [Deleted] Bind DHCP Full
  • [Deleted] Bind DHCP On
  • [Deleted] Bind DHCP Short
  • [Deleted] Bind DNS log 1
  • [Deleted] Bind DNS log 10
  • [Deleted] Bind DNS log 2
  • [Deleted] Bind DNS log 3
  • [Deleted] Bind DNS log 4
  • [Deleted] Bind DNS log 5
  • [Deleted] Bind DNS log 6
  • [Deleted] Bind DNS log 7
  • [Deleted] Bind DNS log 8
  • [Deleted] Bind DNS log 9
  • [Deleted] Bind9 DNS
  • [Deleted] Blue Coat Proxy 2
  • [Deleted] Blue Coat Proxy 4
  • [Deleted] Blue Coat Proxy 5
  • [Deleted] Blue Coat Proxy 6
  • [Deleted] Blue Coat Proxy 7
  • [Deleted] Blue Coat Proxy Logs
  • [Deleted] BlueCat DHCP Bootrequest
  • [Deleted] BlueCat DHCP Decline
  • [Deleted] BlueCat DHCP INFORM Logs
  • [Deleted] BlueCat DHCP Offer Logs
  • [Deleted] BlueCat DHCP Reuse Lease
  • [Deleted] BlueCat DHCP failover
  • [Deleted] BlueCat DNS
  • [Deleted] BlueCat DNS with Key
  • [Deleted] CB Protection
  • [Deleted] CB Protection Username
  • [Deleted] CB Response Server 1
  • [Deleted] CB Response Server 10
  • [Deleted] CB Response Server 11
  • [Deleted] CB Response Server 13
  • [Deleted] CB Response Server 14
  • [Deleted] CB Response Server 15
  • [Deleted] CB Response Server 17
  • [Deleted] CB Response Server 2
  • [Deleted] CB Response Server 20
  • [Deleted] CB Response Server 3
  • [Deleted] CB Response Server 4
  • [Deleted] CB Response Server 5
  • [Deleted] CB Response Server 6
  • [Deleted] CB Response Server 7
  • [Deleted] CB Response Server 9
  • [Deleted] CB Response Severity 1
  • [Deleted] CB Response Severity 2
  • [Deleted] CB Response Severity 3
  • [Deleted] CICSCOFW434002
  • [Deleted] Check Point ACCEPT Grok
  • [Deleted] Check Point DROP
  • [Deleted] Check Point VPN
  • [Deleted] Check Point encrypt/decrypt
  • [Deleted] Check Point key install
  • [Deleted] Cisco ACS FAILED-ATTEMPT
  • [Deleted] Cisco ACS FAILED-AUTHENTICATION
  • [Deleted] Cisco ACS Passed-Authentication
  • [Deleted] Cisco ACS Tacacs-Accounting
  • [Deleted] Cisco ASA 106002
  • [Deleted] Cisco ASA 106012
  • [Deleted] Cisco ASA 106013
  • [Deleted] Cisco ASA 106018
  • [Deleted] Cisco ASA 106022
  • [Deleted] Cisco ASA 113039
  • [Deleted] Cisco ASA 716037
  • [Deleted] Cisco ASA 716038
  • [Deleted] Cisco ASA 716039
  • [Deleted] Cisco ASA 722056
  • [Deleted] Cisco ASA 725012
  • [Deleted] Cisco ASA 725017
  • [Deleted] Cisco ASA 734003
  • [Deleted] Cisco ASA 746012
  • [Deleted] Cisco AnyConnect NAT RULES Logs
  • [Deleted] Cisco Authentication Message 01
  • [Deleted] Cisco Authentication Message 02
  • [Deleted] Cisco Authentication Message 03
  • [Deleted] Cisco Authentication Message 04
  • [Deleted] Cisco Authentication Message 05
  • [Deleted] Cisco Authentication Message 06
  • [Deleted] Cisco Authentication Message 07
  • [Deleted] Cisco Authentication Message 08
  • [Deleted] Cisco Authentication Message 09
  • [Deleted] Cisco Authentication Message 10
  • [Deleted] Cisco Authentication Message 11
  • [Deleted] Cisco Authentication Message 12
  • [Deleted] Cisco Authentication Message 13
  • [Deleted] Cisco Authentication Message 14
  • [Deleted] Cisco Authentication Message 15
  • [Deleted] Cisco IOS Message
  • [Deleted] Cisco IOS Queue Full
  • [Deleted] Cisco Ironport WSA
  • [Deleted] Cisco Ironport WSA NOHD
  • [Deleted] Cisco Ironport WSA NOHD 01
  • [Deleted] Cisco Ironport WSA NOHD 03
  • [Deleted] Cisco Meraki IDS-Alerts
  • [Deleted] Cisco Meraki Security Event
  • [Deleted] Cisco Meraki Security Filtering Disposition Change
  • [Deleted] Cisco Umbrella IP Logs Custom
  • [Deleted] Citrix NetScaler AAA Message
  • [Deleted] Citrix NetScaler API CMD EXECUTED
  • [Deleted] Citrix NetScaler Delinked Message
  • [Deleted] Citrix NetScaler Delinked Message 01
  • [Deleted] Citrix NetScaler TCP Connection Terminated
  • [Deleted] DNS_Additions
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EXABEAM
  • [Deleted] F5 HTTPd Audit
  • [Deleted] F5 SSHD Samples
  • [Deleted] F5 SSL Request
  • [Deleted] Firepower Access Control
  • [Deleted] Firepower Access Control 2
  • [Deleted] Firepower Access Control 3
  • [Deleted] Firepower Access Control 4
  • [Deleted] Firepower Access Control 5
  • [Deleted] Firepower Alerts
  • [Deleted] Forcepoint NEW
  • [Deleted] Huawei SNMP LOGS
  • [Deleted] IBM WebSpheredatadevice error 1
  • [Deleted] IBM WebSpheredatadevice error 2
  • [Deleted] IBM WebSpheredatadevice error 3
  • [Deleted] IBM WebSpheredatadevice error 4
  • [Deleted] IBM WebSpheredatadevice error 5
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
  • [Deleted] Infoblox DHCP Updater 1
  • [Deleted] Infoblox DHCP Updater 2
  • [Deleted] Infoblox DHCP Updater 3
  • [Deleted] Infoblox DHCP Updater 4
  • [Deleted] Infoblox DHCP Updater 5
  • [Deleted] Infoblox DHCPACK RENEW Samples
  • [Deleted] Infoblox DHCPACK v2 Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples 2
  • [Deleted] Infoblox DHCPDISCOVER Unknown network Sample
  • [Deleted] Infoblox DHCPEXPIRE Samples
  • [Deleted] Infoblox DHCPNAK Samples
  • [Deleted] Infoblox DHCPOFFER UID Samples
  • [Deleted] Infoblox DHCPRELEASE Samples
  • [Deleted] Infoblox DNS Reqest AXRF Ended
  • [Deleted] Infoblox DNS Reqest AXRF Started
  • [Deleted] Infoblox DNS Response
  • [Deleted] Infoblox DNS Zone Update 1
  • [Deleted] Infoblox DNS Zone Update 2
  • [Deleted] Infoblox DNS Zone Update 3
  • [Deleted] Infoblox DNS Zone Update 4
  • [Deleted] Infoblox DNS Zone Update 5
  • [Deleted] Infoblox DNS Zone Update 6
  • [Deleted] Infoblox Domain Notified
  • [Deleted] Invalid Login
  • [Deleted] IronPort Quarantined MID
  • [Deleted] IronPort Quarantined TO
  • [Deleted] Ironport DCID Message
  • [Deleted] Ironport DKIM
  • [Deleted] Ironport ICID Message
  • [Deleted] Ironport Info IC
  • [Deleted] Ironport Info IC and Msg
  • [Deleted] Ironport Info ISQ or RPC
  • [Deleted] Ironport Info Message
  • [Deleted] Ironport Info Mid Info
  • [Deleted] Ironport WSA SFIMS Protocol 1
  • [Deleted] Ironport WSA SFIMS Protocol 2
  • [Deleted] Ironport WSA SFIMS Protocol 3
  • [Deleted] Ironport WSA SFIMS Protocol 4
  • [Deleted] Ironport Warn Message
  • [Deleted] Ironport Warning Connection Error
  • [Deleted] Ironport Warning Full
  • [Deleted] Ironport Warning Invalid DNS FULL
  • [Deleted] Ironport Warning LIMIT
  • [Deleted] Juniper Flow Reassemble Logs
  • [Deleted] Juniper Session Error Logs
  • [Deleted] LINUX User Auth with Hostname
  • [Deleted] Linux Laravel Activity Logs
  • [Deleted] Linux Laravel Activity Logs 01
  • [Deleted] Linux Laravel Login Logs
  • [Deleted] LinuxServer Audit Logs 01
  • [Deleted] LinuxServer Audit Logs 02
  • [Deleted] LinuxServer Log 1
  • [Deleted] LinuxServer Log 11
  • [Deleted] LinuxServer Log 2
  • [Deleted] LinuxServer Log 3
  • [Deleted] LinuxServer Log 4
  • [Deleted] LinuxServer Log 5
  • [Deleted] LinuxServer Log 6
  • [Deleted] LinuxServer Log 7
  • [Deleted] Mcafee MVISION CASB Log
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] Network Management Logs
  • [Deleted] Oauth Logs
  • [Deleted] Ossec Group Addition Logs
  • [Deleted] Ossec Insecure Connection Logs
  • [Deleted] Ossec Integrity checksum Logs
  • [Deleted] Ossec Root Login Refused Logs
  • [Deleted] Ossec ssh server Logs
  • [Deleted] Palo Alto Traps Analytics
  • [Deleted] Palo Alto Traps Analytics - Cloud
  • [Deleted] Palo Alto Traps Config - Cloud
  • [Deleted] Palo Alto Traps Event
  • [Deleted] Palo Alto Traps Events Updated
  • [Deleted] Palo Alto Traps Misc - Cloud
  • [Deleted] Palo Alto Traps System - Cloud
  • [Deleted] Pulse Secure Endpoint
  • [Deleted] Pulse Secure Logs
  • [Deleted] Renew Logs
  • [Deleted] Shibboleth DUO
  • [Deleted] Shibboleth HTTP Redirect EDU
  • [Deleted] Shibboleth HTTP Redirect Email
  • [Deleted] Shibboleth LDAP
  • [Deleted] Shibboleth LDAP Email
  • [Deleted] Snare AgentHeartBeat Logs
  • [Deleted] Snare Windows DHCP Logs
  • [Deleted] SonicWall Bad FTP Protocol
  • [Deleted] SonicWall Block Dropped Events
  • [Deleted] SonicWall Flood Attack
  • [Deleted] SonicWall IPS
  • [Deleted] SonicWall Port Scan
  • [Deleted] SonicWall URL Filter
  • [Deleted] Successful Login
  • [Deleted] Successful Logins
  • [Deleted] Successful SSH Login
  • [Deleted] Suricata HTTP Logs
  • [Deleted] Suricata LogStash
  • [Deleted] Suricata Logstash Custom
  • [Deleted] Suricata Threat Logs
  • [Deleted] Symantec SEP AntiVirus
  • [Deleted] Symantec SEP Potential Risk Found 01
  • [Deleted] Symantec SEP Potential Risk Found 2
  • [Deleted] Symantec SEP Potential Risk Found 3
  • [Deleted] Symantec SEP SONAR
  • [Deleted] Symantec SEP Security Risk Found
  • [Deleted] Symantec SEP Sonar Detection
  • [Deleted] Symantec SEP USB Drive
  • [Deleted] Tanium S24 Logs
  • [Deleted] VLT Vault Extra
  • [Deleted] VMware Logs 1
  • [Deleted] VMware Logs 2
  • [Deleted] VMware Logs 3
  • [Deleted] VMware Logs 4
  • [Deleted] VMware Logs 5
  • [Deleted] VMware Logs 6
  • [Deleted] VMware Logs 7
  • [Deleted] VMware Logs 8
  • [Deleted] VPN Messages
  • [Deleted] VPN Messages 2
  • [Deleted] VPN Messages 3
  • [Deleted] VPN Messages 4
  • [Deleted] VPN Messages 5
  • [Deleted] WatchGuard flow log
  • [Deleted] WatchGuard flow log 2
  • [Deleted] Windows DHCP
  • [Deleted] Windows Defender Unstructured
  • [Deleted] Windows QUICK FIX
  • [Deleted] Zscaler Firewall Grok
  • [Deleted] cisco17
  • [Deleted] cisco20
  • [Deleted] ePO Threat Event
  • [New] AWS EKS - Custom Parser
  • [New] Azure Storage Analytics
  • [New] Citrix NetScaler - SSL Handshake Success
  • [Updated] Azure Administrative logs
  • [Updated] Azure Write and Delete Logs
  • [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
  • [Updated] Citrix NetScaler - Command Executed
  • [Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
  • [Updated] Citrix NetScaler - SSLVPN-ICA Events
  • [Updated] Citrix NetScaler - SSLVPN-LOGIN
  • [Updated] Citrix NetScaler - SSLVPN-LOGOUT
  • [Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT
Parsers
  • [New] /Parsers/System/AWS/AWS EKS
  • [New] /Parsers/System/Microsoft/Azure Storage Analytics
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
Legacy Parsers
  • [Deleted] 4624
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
  • [Deleted] ASA_106002
  • [Deleted] ASA_106013
  • [Deleted] ASA_106018
  • [Deleted] ASA_106022
  • [Deleted] ASA_113039
  • [Deleted] ASA_5_746012
  • [Deleted] ASA_6_106012
  • [Deleted] ASA_716037
  • [Deleted] ASA_716038
  • [Deleted] ASA_716039
  • [Deleted] ASA_722056
  • [Deleted] ASA_7_725012
  • [Deleted] ASA_7_725017
  • [Deleted] ASA_7_734003
  • [Deleted] AWS_VPC_FLOW_CUSTOM_1
  • [Deleted] Adaxes_Execute_Event
  • [Deleted] Adaxes_Modify_Event
  • [Deleted] Adaxes_Run_PowerShell_Event
  • [Deleted] Aruba_Error_Logs
  • [Deleted] Aruba_ICMP_Logs
  • [Deleted] Aruba_LDAP_Server_Logs
  • [Deleted] BANDURA_DOMAIN_LOGS
  • [Deleted] BANDURA_PACKET_LOGS
  • [Deleted] BARRACUDA_PROXY
  • [Deleted] BIND9
  • [Deleted] BIND_DHCP_FOR_FULL
  • [Deleted] BIND_DHCP_FOR_SHORT
  • [Deleted] BIND_DHCP_ON
  • [Deleted] BIND_Query
  • [Deleted] BIND_Update_Zone
  • [Deleted] BIND_Update_Zone_Failure
  • [Deleted] BIOC_CREATE_AND_WRITE
  • [Deleted] BIOC_CREDENTIAL_ACCESS
  • [Deleted] BIOC_DROPPER
  • [Deleted] BIOC_EVASION
  • [Deleted] BIOC_EVASION_VARIATION_2
  • [Deleted] BIOC_INFILTRATION
  • [Deleted] BIOC_PERSISTENCE_EXECUTION
  • [Deleted] BIOC_PRIVILEGE
  • [Deleted] BIOC_RECONNAISSANCE
  • [Deleted] BIOC_RECONNAISSANCE_VARIATION_2
  • [Deleted] BIOC_TAMPERING
  • [Deleted] BLUECAT_DHCP_BOOTREQUEST
  • [Deleted] BLUECAT_DHCP_DECLINE
  • [Deleted] BLUECAT_DHCP_INFORM
  • [Deleted] BLUECAT_DHCP_OFFER
  • [Deleted] BLUECAT_DHCP_failover
  • [Deleted] BLUECAT_DHCP_reuse_lease
  • [Deleted] BLUECAT_DNS_NO_KEY
  • [Deleted] BLUECAT_DNS_WITH_KEY
  • [Deleted] BLUECOAT_PROXY
  • [Deleted] BLUECOAT_PROXY_2
  • [Deleted] BLUECOAT_PROXY_4
  • [Deleted] BLUECOAT_PROXY_5
  • [Deleted] BLUECOAT_PROXY_6
  • [Deleted] BLUECOAT_PROXY_7
  • [Deleted] Bind_DNS_log_1
  • [Deleted] Bind_DNS_log_10
  • [Deleted] Bind_DNS_log_2
  • [Deleted] Bind_DNS_log_3
  • [Deleted] Bind_DNS_log_4
  • [Deleted] Bind_DNS_log_5
  • [Deleted] Bind_DNS_log_6
  • [Deleted] Bind_DNS_log_7
  • [Deleted] Bind_DNS_log_8
  • [Deleted] Bind_DNS_log_9
  • [Deleted] CB_PROTECT
  • [Deleted] CB_PROTECT_USERNAME
  • [Deleted] CB_RESPONSE_SERVER_1
  • [Deleted] CB_RESPONSE_SERVER_10
  • [Deleted] CB_RESPONSE_SERVER_11
  • [Deleted] CB_RESPONSE_SERVER_13
  • [Deleted] CB_RESPONSE_SERVER_14
  • [Deleted] CB_RESPONSE_SERVER_15
  • [Deleted] CB_RESPONSE_SERVER_17
  • [Deleted] CB_RESPONSE_SERVER_2
  • [Deleted] CB_RESPONSE_SERVER_20
  • [Deleted] CB_RESPONSE_SERVER_3
  • [Deleted] CB_RESPONSE_SERVER_4
  • [Deleted] CB_RESPONSE_SERVER_5
  • [Deleted] CB_RESPONSE_SERVER_6
  • [Deleted] CB_RESPONSE_SERVER_7
  • [Deleted] CB_RESPONSE_SERVER_9
  • [Deleted] CB_RESPONSE_SEVERITY_1
  • [Deleted] CB_RESPONSE_SEVERITY_2
  • [Deleted] CB_RESPONSE_SEVERITY_3
  • [Deleted] CHECKPOINT_ACCEPT
  • [Deleted] CHECKPOINT_CRYPT
  • [Deleted] CHECKPOINT_DROP
  • [Deleted] CHECKPOINT_KEY_INSTALL
  • [Deleted] CHECKPOINT_VPN_ROUTE
  • [Deleted] CICSCOFW434002
  • [Deleted] CISCOFW321001
  • [Deleted] CISCOFW419001
  • [Deleted] CISCO_ACS_FAILED_ATTEMPT
  • [Deleted] CISCO_ACS_FAILED_AUTHENTICATION
  • [Deleted] CISCO_ACS_PASSED_AUTHENTICATION
  • [Deleted] CISCO_ACS_TACACS_ACCOUNTING
  • [Deleted] CISCO_MERAKI_IDS_ALERTS
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
  • [Deleted] CRM_VODLOG
  • [Deleted] Cisco_Umbrella_IP_Logs
  • [Deleted] Dns_Update
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EPO_THREAT_EVENT
  • [Deleted] EXABEAM
  • [Deleted] F5_HTTPD_AUDIT
  • [Deleted] F5_SSHD_SAMPLES
  • [Deleted] F5_SSL_REQUEST
  • [Deleted] FLOW_REASSEMBLE
  • [Deleted] FORCEPOINT_NEW_AND_IMPROVED
  • [Deleted] Failed_Logon
  • [Deleted] Firepower_ALERT_IDS
  • [Deleted] Firepower_Access_Control
  • [Deleted] Firepower_Access_Control_2
  • [Deleted] Firepower_Access_Control_3
  • [Deleted] Firepower_Access_Control_4
  • [Deleted] Firepower_Access_Control_5
  • [Deleted] IBM_WebSpheredatadevice_error_1
  • [Deleted] IBM_WebSpheredatadevice_error_2
  • [Deleted] IBM_WebSpheredatadevice_error_3
  • [Deleted] IBM_WebSpheredatadevice_error_4
  • [Deleted] IBM_WebSpheredatadevice_error_5
  • [Deleted] INFLOBLOX_DNS_MESSAGE
  • [Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
  • [Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
  • [Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
  • [Deleted] INFOBLOX_DHCPNAK_SAMPLES
  • [Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
  • [Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
  • [Deleted] INFOBLOX_DHCP_UPDATER_1
  • [Deleted] INFOBLOX_DHCP_UPDATER_2
  • [Deleted] INFOBLOX_DHCP_UPDATER_3
  • [Deleted] INFOBLOX_DHCP_UPDATER_4
  • [Deleted] INFOBLOX_DHCP_UPDATER_5
  • [Deleted] INFOBLOX_DHCP_V2_SAMPLES
  • [Deleted] INFOBLOX_DNS_QUERIES
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
  • [Deleted] INFOBLOX_DNS_RESPONSE
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
  • [Deleted] INFOBLOX_DOMAIN_NOTIFIED
  • [Deleted] IRONPORT_QUARANTINE_MID
  • [Deleted] IRONPORT_QUARANTINE_TO
  • [Deleted] IRON_PORT_CONNECTION
  • [Deleted] IRON_PORT_DCID_MSG
  • [Deleted] IRON_PORT_DKIM
  • [Deleted] IRON_PORT_ICID_MSG
  • [Deleted] IRON_PORT_INFO_ICID
  • [Deleted] IRON_PORT_INFO_MID
  • [Deleted] IRON_PORT_INFO_MID_ICID
  • [Deleted] IRON_PORT_INFO_MSG
  • [Deleted] IRON_PORT_ISQ_RPC
  • [Deleted] IRON_PORT_WARN_FULL
  • [Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
  • [Deleted] IRON_PORT_WARN_LIMIT
  • [Deleted] IRON_PORT_WARN_MSG
  • [Deleted] IRON_PORT_WSA
  • [Deleted] IRON_PORT_WSA_NOHD
  • [Deleted] IRON_PORT_WSA_NOHD_01
  • [Deleted] IRON_PORT_WSA_NOHD_03
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
  • [Deleted] Internal_Auth_Logs
  • [Deleted] LINUXSERVER_AUDIT_LOGS_1
  • [Deleted] LINUXSERVER_AUDIT_LOGS_2
  • [Deleted] LINUXSERVER_LOG_1
  • [Deleted] LINUXSERVER_LOG_11
  • [Deleted] LINUXSERVER_LOG_2
  • [Deleted] LINUXSERVER_LOG_3
  • [Deleted] LINUXSERVER_LOG_4
  • [Deleted] LINUXSERVER_LOG_5
  • [Deleted] LINUXSERVER_LOG_6
  • [Deleted] LINUXSERVER_LOG_7
  • [Deleted] LINUX_USER_AND_HOSTNAME
  • [Deleted] Linux_Laravel_Logs1
  • [Deleted] Linux_Laravel_Logs2
  • [Deleted] Linux_Laravel_Logs3
  • [Deleted] MVISION_CASB
  • [Deleted] NAT_RULES_MATCH
  • [Deleted] NMS_LOGS
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] OAUTH_LOG
  • [Deleted] Ossec_Logs_01
  • [Deleted] Ossec_Logs_02
  • [Deleted] Ossec_Logs_03
  • [Deleted] Ossec_Logs_04
  • [Deleted] Ossec_Logs_06
  • [Deleted] PALO_ALTO_TRAPS
  • [Deleted] PALO_TRAPS_EXTRA
  • [Deleted] PAN_TRAPS_ANALYTICS
  • [Deleted] PAN_TRAPS_ANALYTICS_CLOUD
  • [Deleted] PAN_TRAPS_CONFIG_CLOUD
  • [Deleted] PAN_TRAPS_MISC_CLOUD
  • [Deleted] PAN_TRAPS_SYSTEM_CLOUD
  • [Deleted] PULSESECURE_LOGS
  • [Deleted] PULSESECURE_LOGS2
  • [Deleted] Renew_Logs
  • [Deleted] SESSION_ERROR
  • [Deleted] SHIBBOLETH_DUO
  • [Deleted] SHIBBOLETH_HTTP_EDU
  • [Deleted] SHIBBOLETH_HTTP_MAIL
  • [Deleted] SHIBBOLETH_LDAP
  • [Deleted] SHIBBOLETH_LDAP_EMAIL
  • [Deleted] SNARE_AGENTHEARTBEAT_LOGS
  • [Deleted] SNARE_WINDOWS_DHCP_LOGS
  • [Deleted] SNMP_LOGS
  • [Deleted] SURICATA_HTTP_LOGS
  • [Deleted] SURICATA_LOGSTASH
  • [Deleted] SURICATA_LOGSTASH_CUSTOM
  • [Deleted] SURICATA_THREAT_LOGS
  • [Deleted] SYMANTEC_SEP_Anti_Virus
  • [Deleted] SYMANTEC_SEP_PRF_01
  • [Deleted] SYMANTEC_SEP_PRF_02
  • [Deleted] SYMANTEC_SEP_PRF_03
  • [Deleted] SYMANTEC_SEP_SDN
  • [Deleted] SYMANTEC_SEP_SONAR
  • [Deleted] SYMANTEC_SEP_SRF
  • [Deleted] SYMANTEC_SEP_USB_1
  • [Deleted] SonicWall_Bad_FTP_Protocol
  • [Deleted] SonicWall_Block_Dropped_Events
  • [Deleted] SonicWall_Flood_Attack
  • [Deleted] SonicWall_IPS
  • [Deleted] SonicWall_Port_Scan
  • [Deleted] SonicWall_URL_Filter
  • [Deleted] Successful_Logon
  • [Deleted] TANIUM_S24_TYPE_LOGS
  • [Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
  • [Deleted] VDM_LOG_EXTRA
  • [Deleted] VDM_MESSAGES_CONNECT
  • [Deleted] VDM_MESSAGES_DIRECTORY
  • [Deleted] VDM_MESSAGES_FROM
  • [Deleted] VDM_MESSAGES_FTP
  • [Deleted] VDM_MESSAGES_WARN
  • [Deleted] VLT_VAULT_EXTRA
  • [Deleted] VPN_Message_2
  • [Deleted] VPN_Message_3
  • [Deleted] VPN_Message_4
  • [Deleted] VPN_Message_5
  • [Deleted] VPN_Messages
  • [Deleted] Vmware_Logs_1
  • [Deleted] Vmware_Logs_2
  • [Deleted] Vmware_Logs_3
  • [Deleted] Vmware_Logs_4
  • [Deleted] Vmware_Logs_5
  • [Deleted] Vmware_Logs_6
  • [Deleted] Vmware_Logs_7
  • [Deleted] Vmware_Logs_8
  • [Deleted] WATCHGUARD_FLOW_LOG
  • [Deleted] WATCHGUARD_FLOW_LOG_2
  • [Deleted] WINDOWS_DHCP_LOG
  • [Deleted] WINDOWS_QUICK_FIX
  • [Deleted] Zscaler_Firewall
  • [Deleted] cisco_authentication_01
  • [Deleted] cisco_authentication_02
  • [Deleted] cisco_authentication_03
  • [Deleted] cisco_authentication_04
  • [Deleted] cisco_authentication_05
  • [Deleted] cisco_authentication_06
  • [Deleted] cisco_authentication_07
  • [Deleted] cisco_authentication_08
  • [Deleted] cisco_authentication_09
  • [Deleted] cisco_authentication_10
  • [Deleted] cisco_authentication_11
  • [Deleted] cisco_authentication_12
  • [Deleted] cisco_authentication_13
  • [Deleted] cisco_authentication_14
  • [Deleted] cisco_authentication_15
  • [Deleted] cisco_ios_system_log_message
  • [Deleted] cisco_ios_system_log_message_queue_full
  • [Deleted] citrix_netscaler_AAA_Messsage
  • [Deleted] citrix_netscaler_API_CMD_EXECUTED
  • [Deleted] citrix_netscaler_TCP_connection_terminated
  • [Deleted] citrix_netscaler_delinked_message
  • [Deleted] citrix_netscaler_delinked_message_01
  • [Deleted] windows_defender
Schema
  • [New] _cipSourceHost
  • [New] _cipSourceName

Announcement 2022-04-07

On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the CSE platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers. 

No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.

  • Windows - Security - 1100 - CIP
  • Windows - Security - 1102 - CIP
  • Windows - Security - 4625 - CIP
  • Windows - Security - 4624 - CIP
  • Windows - Security - 4634 - CIP
  • Windows - Security - 4648 - CIP
  • Windows - Security - 4649 - CIP
  • Windows - Security - 4672 - CIP
  • Windows - Security - 4688 - CIP
  • Windows - Security - 4697 - CIP
  • Windows - Security - 4698 - CIP
  • Windows - Security - 4702 - CIP
  • Windows - Security - 4720 - CIP
  • Windows - Security - 4726 - CIP
  • Windows - Security - 4740 - CIP
  • Windows - Security - 4742 - CIP
  • Windows - Security - 5805 - CIP
  • Windows - Security - 4768 - CIP
  • Windows - Security - 4769 - CIP
  • Windows - Security - 4770 - CIP
  • Windows - Security - 4771 - CIP
  • Windows - Security - 4776 - CIP
  • Windows - Security - 4778 - CIP
  • Windows - Security - 4779 - CIP
  • Windows - Security - 5140 - CIP
  • Windows - Security - 4728 - CIP
  • Windows - Security - 4732 - CIP
  • Windows - Security - 4756 - CIP
  • Windows - Security - 4661 - CIP
  • Windows - Security - 4704 - CIP
  • Windows - Security - 4754 - CIP
  • Windows - Security - 4780 - CIP
  • Windows - Security - 4793 - CIP
  • Windows - Security - 5038 - CIP
  • Windows - Security - 6272 - CIP
  • Windows - Security - 6273 - CIP
  • Windows - Security - 6275 - CIP
  • Windows - Security - 6278 - CIP
  • Windows - Security - 4662 - CIP
  • Windows - Security - 4755 - CIP
  • Windows - Security - 4689 - CIP
  • Windows - Security - 4798 - CIP
  • Windows - Security - 6416 - CIP
  • Windows - Security - 6423 - CIP
  • Windows - Security - 6424 - CIP
  • Windows - Security - 4656 - CIP
  • Windows - Security - 4663 - CIP
  • Windows - Security - 4658 - CIP
  • Windows - Security - 4674 - CIP
  • Windows - Security - 4799 - CIP
  • Windows - Security - 5058 - CIP
  • Windows - Security - 5059 - CIP
  • Windows - Security - 5061 - CIP
  • Windows - Security - 5379 - CIP
  • Windows - System - 5138 - CIP
  • Windows - System - 6005 - CIP
  • Windows - System - 6006 - CIP
  • Windows - System - 7045 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP

Content Release 2022-04-07

Rules
  • [Updated] MATCH-S00599 Alibaba ActionTrail Root Login
  • [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • [Updated] MATCH-S00168 Windows - Local System executing whoami.exe
Log Mappers
  • [New] Cisco ASA 313004 JSON
  • [New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs
Parsers
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/SentinelOne/SentinelOne Syslog

Announcement 2022-04-06

Upcoming Removal of Unused Content

On Tuesday, April 12th, unused legacy grok parsers and their corresponding log mappers will be removed from CSE.

This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are NOT actively using any of the legacy grok parsers or log mappers we plan to remove in this future update. 

It's important to note that this future content update does NOT remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.

Content Release 2022-04-01

Spring4Shell Exploitation

A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but CSE already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:

  • MATCH-S00348 Curl Start Combination
  • MATCH-S00362 Suspicious Curl File Upload
  • LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
  • MATCH-S00149 PowerShell File Download
  • MATCH-S00164 Suspicious Shells Spawned by Web Servers
  • MATCH-S00174 Web Services Executing Common Web Shell Commands
Rules
  • [New] MATCH-S00783 Spring4Shell Exploitation - URL
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context
Log Mappers
  • [New] Netskope - WebTx Events
  • [New] Tenable.io Authentication
  • [New] Tenable.io Catch All
  • [Updated] AWS CloudFront
  • [Updated] AWS WAF Block Logs
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
  • [Updated] Tenable.io Vulnerability